On Jul 9, 2009, at 20:08, [email protected] wrote:
Reviewers: ihab.awad, Description: cajole_html uses a unique PluginEnvironment that allows limited filesystem references, but barfs on most uses of #fragments. this change relaxes the restriction on #fragments. so now <a href="#foo"> is allowed, and if href="foo.html" is allowed, then href="foo.html#bar" is also allowed.
Don't some webapps use fragments interpreted by JavaScript as commands/ internal hyperlinks? If so, wouldn't permitting arbitrary this-page fragments be potentially undesired ambient authority for Caja modules? (If there is already some other stage at which this is rewritten with the domita id suffix, never mind -- I don't know the HTML-cajoling architecture well.)
-- Kevin Reid <http://switchb.org/kpreid/>
